SQL Injection Vulnerability
Status: Beta
Brought to you by:
dolmant
Menu
▾
▴
#1 SQL Injection Vulnerability
open
nobody
None
5
2009-05-12
2009-05-12
Anonymous
No
All the user authentication is encapsulated in login.php and that contains a weakness that leaves the software open to a simple SQL Injection attack. Note line 8 of login.php:
LOGIN.PHP
..............
<?
if($login == "Submit")
{
require "variables.php";
mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($db);
$query = mysql_query("select id,password from users where name = '$username' and password = password('$pass')");
if(mysql_num_rows($query) == 1)
{
...............
username goes unmodified as it's passed into the SQL query, so a possible attack on this exploit is:
username: admin' --
here it seems that password can be left null, because it isn't checked, but it would be trivial to add a nonsense password. The malicious user can login as whomever they want and insert whatever code they like after the "admin'". It seems that the security from this vulnerability leans on the magic quoting behavior of PHP, but that will be depreciated in PHP 6 and since it's not recommended to keep it active, many PHP hosts would have disabled it and would thus be vulnerable while running this software. I've wrttten a patched login.php and attached it. It uses the built in mysql_real_escape_string() function to solve the problem.
login.php patch
The attack that I mentioned above using " admin' -- " is ineffective,
however the following attacks work:
To login with a username you are already familiar with, for example admin:
username: admin
password: ' OR '1' = '1
or if you don't know a username:
username: ' OR '1' = '1
password: ' OR '1' = '1
will log you in as the first user in the result set. The patch is still good.